Vertically integrated automatic threat level determination for containers and hosts in a containerization environment
Abstract
A threat level analyzer probes for one or more threats within an application container in a container system. Each threat is a vulnerability or a non-conformance with a benchmark setting. The threat level analyzer further probes for one or more threats within a host of the container service. The threat level analyzer generates a threat level assessment score based on results from the probing of the one or more threats of the application container and the one or more threats of the host, and generates a report for presentation in a user interface including the threat level assessment score and a list of threats discovered from the probe of the application container and the host. A report is transmitted by the threat level analyzer to a client device of a user for presentation in the user interface.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method, comprising:
identifying a threat in one or more of an instance or a host of a virtualized system;
generating a threat level assessment score based on the threat;
generating a report comprising the threat level assessment score and a list of identified threats; and
transmitting the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances.
2. The method of claim 1 , wherein the generating the threat level assessment score further comprises:
determine that the instance generates requests to access a Wide Area Network (WAN); and
increasing the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN.
3. The method of claim 2 , wherein the generating the threat level assessment score further comprises:
identifying abnormal network behavior of the one or more of the instance or the host; and
increasing the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior.
4. The method of claim 1 , wherein the identifying the threat further comprises:
retrieving entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the vulnerability;
identifying that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and
wherein the generating the threat level assessment score further comprises:
increasing the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry.
5. The method of claim 1 , wherein the identifying the threat further comprises:
retrieving entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the benchmark setting;
identifying that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and
wherein the generating the threat level assessment score further comprises:
increasing the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry.
6. The method of claim 1 , further comprising:
determining that the threat level assessment score exceeds a threshold value; and
suspending execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value.
7. The method of claim 1 , wherein the system is a container system.
8. A system comprising:
a processor; and
memory storing instructions that, when executed by the processor, configures the processor to:
identify a threat in one or more of an instance or a host of the virtualized system;
generate a threat level assessment score based on the threat;
generate a report comprising the threat level assessment score and a list of identified threats; and
transmit the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances.
9. The system of claim 8 , wherein when the processor generates the threat level assessment score, the processor is further configured:
determine that the instance generates requests to access a Wide Area Network (WAN); and
increase the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN.
10. The system of claim 9 , wherein when the processor generates the threat level assessment score, the processor is further configured:
identify abnormal network behavior of the one or more of the instance or the host; and
increase the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior.
11. The system of claim 8 , wherein when the processor identifies the threat, the processor is further configured:
retrieve entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature used to identify the vulnerability;
identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and
increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry.
12. The system of claim 8 , wherein when the processor identifies the threat, the processor is further configured:
retrieve entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the benchmark setting;
identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and
increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry.
13. The system of claim 8 , wherein the processor is configured to:
determine that the threat level assessment score for the instance exceeds a threshold value; and
suspend execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value.
14. The system of claim 8 , wherein the system is a container system.
15. A non-transitory computer-readable medium comprising instructions that, when executed by a processor, configure the processor to:
identify a threat in one or more of an instance or a host of the virtualized system;
generate a threat level assessment score based on the threat;
generate a report comprising the threat level assessment score and a list of identified threats; and
transmit the report to a user interface of a client device for display in a graphical view that shows the instance as a graphical indicator, the threat level assessment score with an adjacent threat score indicator, and arrow indicators that depict connections between instances.
16. The non-transitory computer-readable medium of claim 15 , wherein when the processor generates the threat level assessment score, the processor is further configured to:
determine that the instance generates requests to access a Wide Area Network (WAN); and
increase the threat level assessment score for the instance by a fixed value in response to it being determined that the instance generates requests to access the WAN.
17. The non-transitory computer-readable medium of claim 16 , wherein when the processor generates the threat level assessment score, the processor is further configured to:
identify abnormal network behavior of the one or more of the instance or the host; and
increase the threat level assessment score for the one or more of the instance or the host by a fixed value in response to the abnormal network behavior.
18. The non-transitory computer-readable medium of claim 15 , wherein when the processor identifies the threat, the processor is further configured to:
retrieve entries from a threat database, wherein each entry indicates a vulnerability using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature to identify the vulnerability;
identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the CVE identifier of an entry of the entries from the threat database; and
increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the entry.
19. The non-transitory computer-readable medium of claim 15 , wherein when the processor identifies the threat, the processor is further configured to:
retrieve entries from a threat database, wherein each entry indicates a benchmark setting using a Common Vulnerabilities and Exposures (CVE) identifier, and each entry uses a signature used to identify the benchmark setting;
identify that a software resource of a software source of the one or more of the instance or the host matches a signature corresponding to the benchmark setting of an entry of the entries from the threat database; and
increase the threat level assessment score for one or more of the instance or the host in response to an identification that the software source matches the signature corresponding to the benchmark setting corresponding to the entry.
20. The non-transitory computer-readable medium of claim 15 , wherein the instructions further configure the processor to:
determine that the threat level assessment score exceeds a threshold value; and
suspend execution of the one or more of the instance or the host in response to a determination that the threat level assessment score for the instance exceeds the threshold value.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.